1 /* authzid.c - RFC 3829 Authzid Control */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2010-2013 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
17 * This work was initially developed by Pierangelo Masarati for inclusion
18 * in OpenLDAP Software.
24 * must be instantiated as a global overlay
32 #include "ac/string.h"
34 typedef struct authzid_conn_t {
40 static ldap_pvt_thread_mutex_t authzid_mutex;
41 static Avlnode *authzid_tree;
44 authzid_conn_cmp( const void *c1, const void *c2 )
46 const authzid_conn_t *ac1 = (const authzid_conn_t *)c1;
47 const authzid_conn_t *ac2 = (const authzid_conn_t *)c2;
49 return SLAP_PTRCMP( ac1->conn, ac2->conn );
53 authzid_conn_dup( void *c1, void *c2 )
55 authzid_conn_t *ac1 = (authzid_conn_t *)c1;
56 authzid_conn_t *ac2 = (authzid_conn_t *)c2;
58 if ( ac1->conn == ac2->conn ) {
65 static int authzid_cid;
66 static slap_overinst authzid;
68 static authzid_conn_t *
69 authzid_conn_find( Connection *c )
71 authzid_conn_t *ac = NULL, tmp = { 0 };
74 ac = (authzid_conn_t *)avl_find( authzid_tree, (caddr_t)&tmp, authzid_conn_cmp );
75 if ( ac == NULL || ( ac != NULL && ac->refcnt != 0 ) ) {
85 static authzid_conn_t *
86 authzid_conn_get( Connection *c )
88 authzid_conn_t *ac = NULL;
90 ldap_pvt_thread_mutex_lock( &authzid_mutex );
91 ac = authzid_conn_find( c );
92 if ( ac && ac->refcnt ) ac = NULL;
93 if ( ac ) ac->refcnt++;
94 ldap_pvt_thread_mutex_unlock( &authzid_mutex );
100 authzid_conn_release( authzid_conn_t *ac )
102 ldap_pvt_thread_mutex_lock( &authzid_mutex );
104 ldap_pvt_thread_mutex_unlock( &authzid_mutex );
108 authzid_conn_insert( Connection *c, char flag )
113 ldap_pvt_thread_mutex_lock( &authzid_mutex );
114 ac = authzid_conn_find( c );
116 ldap_pvt_thread_mutex_unlock( &authzid_mutex );
120 ac = SLAP_MALLOC( sizeof( authzid_conn_t ) );
123 ac->authzid_flag = flag;
124 rc = avl_insert( &authzid_tree, (caddr_t)ac,
125 authzid_conn_cmp, authzid_conn_dup );
126 ldap_pvt_thread_mutex_unlock( &authzid_mutex );
132 authzid_conn_remove( Connection *c )
134 authzid_conn_t *ac, *tmp;
136 ldap_pvt_thread_mutex_lock( &authzid_mutex );
137 ac = authzid_conn_find( c );
139 ldap_pvt_thread_mutex_unlock( &authzid_mutex );
142 tmp = avl_delete( &authzid_tree, (caddr_t)ac, authzid_conn_cmp );
143 ldap_pvt_thread_mutex_unlock( &authzid_mutex );
157 struct berval edn = BER_BVNULL;
161 assert( rs->sr_tag = LDAP_RES_BIND );
163 if ( rs->sr_err == LDAP_SASL_BIND_IN_PROGRESS ) {
164 authzid_conn_t *ac = op->o_controls[ authzid_cid ];
166 authzid_conn_release( ac );
168 (void)authzid_conn_insert( op->o_conn, op->o_ctrlflag[ authzid_cid ] );
170 return SLAP_CB_CONTINUE;
173 (void)authzid_conn_remove( op->o_conn );
175 if ( rs->sr_err != LDAP_SUCCESS ) {
176 return SLAP_CB_CONTINUE;
179 if ( !BER_BVISEMPTY( &op->orb_edn ) ) {
182 } else if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
183 edn = op->o_conn->c_dn;
186 if ( !BER_BVISEMPTY( &edn ) ) {
187 ber_tag_t save_tag = op->o_tag;
188 struct berval save_dn = op->o_dn;
189 struct berval save_ndn = op->o_ndn;
192 /* pretend it's an extop without data,
193 * so it is treated as a generic write
195 op->o_tag = LDAP_REQ_EXTENDED;
198 rc = backend_check_restrictions( op, rs, NULL );
199 op->o_tag = save_tag;
201 op->o_ndn = save_ndn;
202 if ( rc != LDAP_SUCCESS ) {
203 rs->sr_err = LDAP_CONFIDENTIALITY_REQUIRED;
204 return SLAP_CB_CONTINUE;
207 len = STRLENOF("dn:") + edn.bv_len;
210 /* save original controls in sc_private;
211 * will be restored by sc_cleanup
213 if ( rs->sr_ctrls != NULL ) {
214 op->o_callback->sc_private = rs->sr_ctrls;
215 for ( ; rs->sr_ctrls[n] != NULL; n++ )
219 ctrls = op->o_tmpalloc( sizeof( LDAPControl * )*( n + 2 ), op->o_tmpmemctx );
221 if ( rs->sr_ctrls ) {
222 for ( ; rs->sr_ctrls[n] != NULL; n++ ) {
223 ctrls[n] = rs->sr_ctrls[n];
227 /* anonymous: "", otherwise "dn:<dn>" */
228 ctrls[n] = op->o_tmpalloc( sizeof( LDAPControl ) + len + 1, op->o_tmpmemctx );
229 ctrls[n]->ldctl_oid = LDAP_CONTROL_AUTHZID_RESPONSE;
230 ctrls[n]->ldctl_iscritical = 0;
231 ctrls[n]->ldctl_value.bv_len = len;
232 ctrls[n]->ldctl_value.bv_val = (char *)&ctrls[n][1];
236 ptr = lutil_strcopy( ctrls[n]->ldctl_value.bv_val, "dn:" );
237 ptr = lutil_strncopy( ptr, edn.bv_val, edn.bv_len );
239 ctrls[n]->ldctl_value.bv_val[len] = '\0';
242 rs->sr_ctrls = ctrls;
244 return SLAP_CB_CONTINUE;
252 if ( rs->sr_ctrls ) {
255 /* if ours, cleanup */
256 ctrl = ldap_control_find( LDAP_CONTROL_AUTHZID_RESPONSE, rs->sr_ctrls, NULL );
258 op->o_tmpfree( rs->sr_ctrls, op->o_tmpmemctx );
262 if ( op->o_callback->sc_private != NULL ) {
263 rs->sr_ctrls = (LDAPControl **)op->o_callback->sc_private;
264 op->o_callback->sc_private = NULL;
268 op->o_tmpfree( op->o_callback, op->o_tmpmemctx );
269 op->o_callback = NULL;
271 return SLAP_CB_CONTINUE;
281 if ( op->o_ctrlflag[ authzid_cid ] <= SLAP_CONTROL_IGNORED ) {
282 authzid_conn_t *ac = authzid_conn_get( op->o_conn );
284 op->o_ctrlflag[ authzid_cid ] = ac->authzid_flag;
285 op->o_controls[ authzid_cid] = ac;
289 if ( op->o_ctrlflag[ authzid_cid ] > SLAP_CONTROL_IGNORED ) {
291 op->o_callback = op->o_tmpalloc( sizeof( slap_callback ), op->o_tmpmemctx );
292 op->o_callback->sc_response = authzid_response;
293 op->o_callback->sc_cleanup = authzid_cleanup;
294 op->o_callback->sc_private = NULL;
295 op->o_callback->sc_next = sc;
298 return SLAP_CB_CONTINUE;
307 if ( op->o_ctrlflag[ authzid_cid ] != SLAP_CONTROL_NONE ) {
308 rs->sr_text = "authzid control specified multiple times";
309 return LDAP_PROTOCOL_ERROR;
312 if ( !BER_BVISNULL( &ctrl->ldctl_value ) ) {
313 rs->sr_text = "authzid control value not absent";
314 return LDAP_PROTOCOL_ERROR;
317 /* drop ongoing requests */
318 (void)authzid_conn_remove( op->o_conn );
320 op->o_ctrlflag[ authzid_cid ] = ctrl->ldctl_iscritical ? SLAP_CONTROL_CRITICAL : SLAP_CONTROL_NONCRITICAL;
326 authzid_db_init( BackendDB *be, ConfigReply *cr )
328 if ( !SLAP_ISGLOBALOVERLAY( be ) ) {
329 /* do not allow slapo-ppolicy to be global by now (ITS#5858) */
331 snprintf( cr->msg, sizeof(cr->msg),
332 "slapo-authzid must be global" );
333 Debug( LDAP_DEBUG_ANY, "%s\n", cr->msg, 0, 0 );
340 rc = register_supported_control( LDAP_CONTROL_AUTHZID_REQUEST,
341 SLAP_CTRL_GLOBAL|SLAP_CTRL_BIND|SLAP_CTRL_HIDE, NULL,
342 parse_authzid_ctrl, &authzid_cid );
343 if ( rc != LDAP_SUCCESS ) {
344 Debug( LDAP_DEBUG_ANY,
345 "authzid_initialize: Failed to register control '%s' (%d)\n",
346 LDAP_CONTROL_AUTHZID_REQUEST, rc, 0 );
354 * Almost pointless, by now, since this overlay needs to be global,
355 * and global overlays deletion is not supported yet.
358 authzid_db_destroy( BackendDB *be, ConfigReply *cr )
360 #ifdef SLAP_CONFIG_DELETE
361 overlay_unregister_control( be, LDAP_CONTROL_AUTHZID_REQUEST );
362 #endif /* SLAP_CONFIG_DELETE */
364 unregister_supported_control( LDAP_CONTROL_AUTHZID_REQUEST );
370 authzid_initialize( void )
372 ldap_pvt_thread_mutex_init( &authzid_mutex );
374 authzid.on_bi.bi_type = "authzid";
376 authzid.on_bi.bi_db_init = authzid_db_init;
377 authzid.on_bi.bi_db_destroy = authzid_db_destroy;
378 authzid.on_bi.bi_op_bind = authzid_op_bind;
380 return overlay_register( &authzid );
384 init_module( int argc, char *argv[] )
386 return authzid_initialize();